622029 - Malicious code injection

Status: VERIFIED INVALID

(Firefox :: Security, defect)

Description

[u17130]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729)

Justin Samuel is now working for, and submitting code to, Firefox.  He is a well known FBI informant with a record for subverting organizations internally.  How can we brand Firefox a “safe and secure” browser with someone who signed a plea agreement obligating him to provide information directly to the FBI?

Reproducible: Always

Steps to Reproduce:
1: Hire well known FBI Informant
2: Compromise codebase
Actual Results:  
Losing all trust from OSS community.

Expected Results:  
Known untrustworthy people shouldn't be permitted to work on trusted projects. Should be held accountable for their actions. 

Get rid of the guy.  This is a sad sad day he turned up here.

Yes this is a human interface bug and not a code fix but figured might as well report it here given it's a bug nevertheless.

Comment 1

[Tyler Downer [He/Him]]

Um yeah, sorry, no. This isn't a bug, if you have problems, take it up in the groups, but frankly, Firefox is open-source, anyone in the world can view the code, if code was hidden in it, others would find it. I'm sure others will say the same thing.

Comment 2

[Matthias Versen [:Matti]]

>anyone in the world can view the code
that is not the full truth. Anyone in the world can also submit code to any open source project and in the case of Mozilla.org each patch will be reviewed by a second person before it gets into the source repository. From that point anyone in the world can look at the code.
You never know who is the person behind a patch, it could be only Joe Hacker but it could be also the son of Kim Jong-il, the BKA, CIA, FBI, MI5...

The open source model gives you a chance to audit the code yourself.